Let’s play a game. Below are clues describing a specific
type of cyberattack; can you guess what it is?
- This cyberattack is an automated bot-based
- It uses automation tools such as cURL and
- It leverages breached usernames and passwords
- Its primary goal is to hijack accounts to access
sensitive data, but denial of service is another consequence
- The financial services industry has been the
Struggling? We understand, it’s tricky! Here are two more
- Hackers will often route login requests through
proxy servers to avoid blacklisting their IP addresses
- It is a subset of Brute Force attacks, but
different from credential cracking
And the Answer Is….
Credential stuffing! If you didn’t guess correctly, don’t
worry. You certainly aren’t alone. At this year’s RSA
Conference, Radware invited attendees to participate
in a #HackerChallenge. Participants were given clues and asked to diagnose
threats. While most were able to surmise two other cyber threats, credential stuffing stumped the majority.
Understandably so. For one, events are
happening at a breakneck pace. In the last few months alone, there have been
several high-profile attacks leveraging different password attacks, from
credential stuffing to credential
spraying. It’s entirely possible that people are
conflating the terms and thus the attack vectors. Likewise, they may also
confuse credential stuffing with credential cracking.
Stuffing vs. Cracking vs. Spraying
As we’ve previously
written, credential stuffing is a subset of brute force attacks but is
different from credential cracking. Credential stuffing campaigns do not
involve the process of brute forcing password combinations. Rather, they
leverage leaked username and passwords in an automated fashion against numerous
websites to take over users’ accounts due to credential reuse.
Conversely, credential cracking attacks are an automated web attack wherein criminals attempt to crack users’ passwords or PIN numbers by processing through all possible combines of characters in sequence. These attacks are only possible when applications do not have a lockout policy for failed login attempts. Software for this attack will attempt to crack the user’s password by mutating or brute forcing values until the attacker is successfully authenticated.
As for credential (or password) spraying,
this technique involves using a limited set of company-specific passwords in
attempted logins for known usernames. When conducting these types of attacks, advanced
cybercriminals will typically scan your infrastructure for external facing apps
and network services such as webmail, SSO and VPN gateways. Usually, these
interfaces have strict timeout features. Actors will use password spraying vs.
brute force attacks to avoid being timed out and possibly alerting admins.
So What Can You Do?
A dedicated bot
management solution that is tightly integrated into your Web Application
Firewall (WAF) is critical. Device fingerprinting, CAPTCHA, IP rate-based
In addition to these steps, network operators should apply
two-factor authentication where eligible and monitor dump credentials for
potential leaks or threats.
Read “Radware’s 2018 Web Application Security Report” to learn more.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities.
Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.
*** This is a Security Bloggers Network syndicated blog from Radware Blog authored by Daniel Smith. Read the original post at: https://blog.radware.com/security/attack-types-and-vectors/2019/04/can-you-crack-the-hack/